Entries in regex
(3)

I created a quick Regular Expressions (Regex) quiz to help students with a basic understanding of Regex begin to understand patterns that it can be applied to. You can find the google doc version of this quiz here. If you are not familiar with Regex already you can view a tutorial here.

For those who prefer to see the questions directly on TekDefense, here they are:

1. Write a Regular Expression that will match a date that follows the following standard “YYYY-MM-DD”.

2. Write a Regular Expression that will match a traditional SSN.

3. Write a Regular Expression that will match an IPv4 address.

4. Write a Regular Expression that will match an email address.

5. Given the example text that follows, which of the Regular Expressions will match only the MD5 hashes. Circle all that apply.

6. From your answer to question 5 which of the valid Regular Expressions for an MD5 hash is the most specific and reusable for finding MD5 hashes in the future.

** Warning Answers below this line **

--------------------------------------------

Answers: Keep in mind that as this is Regex, there are many right answers. If you have something different than what I have below it may still be right. The best way to check is to test it out. You can test with Notepad++ or take a different route such as RegExr. The answer to the fourth question will not work with all email addresses. There are much more complex expressions that will catch a greater sum of the email addresses. This one is focused on the format of john@example.com.

Notepad++ is a free (as in "free speech" and also as in "free beer") source code editor and Notepad replacement that supports several languages. Running in the MS Windows environment, its use is governed by GPL License.

Based on the powerful editing component Scintilla, Notepad++ is written in C++ and uses pure Win32 API and STL which ensures a higher execution speed and smaller program size. By optimizing as many routines as possible without losing user friendliness, Notepad++ is trying to reduce the world carbon dioxide emissions. When using less CPU power, the PC can throttle down and reduce power consumption, resulting in a greener environment.

While most of us probably live in the linux world where their are already built in text editors that allow for much of the functionality I will speak to today, there are many that use Windows as their primary box. In some cases our employers push Windows on us, as they don't trust open source.

Either way we all probably have a windows box somewhere, even if it is just for malware analysis, or dare I say gaming. Notepad++ is THE text editor to use in these situations. With a large community building plugins, the features are limitless. Today though we will be focusing on the Regex capabilities.

To review for those of you who did not watch my Regex Tektip, Regex or Regular Expressions are method to match patterns in strings using a flexible syntax. I recommend you watch the Regex Tektip if you have not already.

To begin we are going to get a log of my latest Kippo hits from my honeydrive instance, which we will then try to manipulate. Here is a small sample:

Now lets say we just wanted the passwords from this log. As this is just a small sampling, you can imagine doing this manually would not be a fun task. Luckily, Notepad++ has a solution for this. Open Notepad++ and paste the logs I put above in if you would like to follow along. With Notepad++ open, hit ctrl+f to bring up the search function.

The Find function has a lot of options. We will start in the Find Tab for now, and then move to the Replace. By having the Regular expression radio button selected in the bottom left we are telling Notepad++ we will be using Regex. There are some other options but we will focus on this for now.

Now we need to build our regex that will wind the password. As their is nothing unique specifically about the passwords that we can pull for this we will have to use a pattern and select what we want from that pattern using (). I hate to mention this again, but if you have not already watched my regex tutorial, now is the time to do so.

Looking at the log, we can quickly identify where the password is. The username and password are always between [] and always separated by a /. The Regex for what I just described is this:

\[\w+\/.+\]

To break it down for you we are looking for "[" which is the "\[", then we are looking for any number of word characters which is covered by "\w+", then a "/" which is covered with "\/", then any number of any characters which is covered by ".+" and lastly a "]" which is covered by "\]".

Now with that regex in the find box click find all in current document which should give you something like this:

Great! Now we have a regex string that matches what we are looking for, but how do you get the data out of that log? That is what I had a little trouble with at first. I feel like I should be able to ctrl+c and ctrl+v like there is no tomorrow, but that is not the case. We have to instead use the replace feature. That is why we need to wrap () around where the password is in our regex. So lets switch to the replace tab, and add our modified regex which should now look like this:

\[\w+\/(.+)\]

Now add \1 to the replace field. What this means is replace with the pattern specified in the first set of (), in our case (.+) which is where the password is in the pattern. Now hit replace a couple times to see what it is doing. So as you can probably tell, we are closer to what we want but not quite there. This is replacing the [username/password] with password but the rest of the line is still there.

I know what you are saying at this point, "Dang 1aN0rmus, why should I bother I could probably have done this manually by now". I understand your frustration, but trust me, after you do this a few times you'll be eating up logs like it's no ones business. Don't fret, we will get through this.

So, how do we get the rest of the line? It's very simple, we just have to build a regex that will capture the entire line but pull out what we need. This is easier than you are thinking. This can almost always be done by adding a ".+" before and after the regex string you already built. Giving us the following:

.+\[\w+\/(.+)\].+

Now we can when we hit replace lets see what happens.

Perfect! Just what we wanted. Click Replace All and you are done. The file is perfectly formatted for Pipal

This methodology will help you tremendously, but remember you will need to change up your regex and even your replacement text to fit each new situation. This will work fin for pulling passwords from all Kippo logs, but if your mission changes and you would like usernames and passwords you would need to modify this to suit your needs. Hopefully you have the tools to accomplish this now though.